Thwarting terrorism with creativity and lots of data

Updated: Nothing sends shivers down my spine quite like a hypothetical in which someone sets a whole block on fire after cutting off the fire department’s electric supply in order to slow its response. It’s a scary thought, but not entirely unplausible. Perhaps it should give us some peace of mind, though, to know that armed with the right tools and, more importantly, the right mindset, these types of attacks might be preventable.

The topic came up during a recent call with Splunk’s director of security and compliance solutions, Mark Seward, after the FBI and Department of Homeland Security named Splunk as part of its toolkit for investigating a potential cyberattack on an Illinois gas pipeline water facility. That turned out to be a false alarm, but I was troubled by the notion that we were only doing data analysis forensically, after the fact. Gas pipelines are, especially, are still under heavy attack. Forget finding out who did it; I want events stopped before they happen.

Seward said that’s possible, but not easy. Attackers have gotten so good, he said, and have such diverse attack vectors that it’s hard to predict what will happen when. “Security professionals have to harness the creativity of their minds to start thinking like a criminal,” he explained. They have to “think creatively about how someone would go about disrupting [a] service and what footprints would they leave behind.”

When that happens, it becomes possible to watch data in real-time and identify anomalies or put together patterns that suggest an attack might be underway. Splunk actually has a SCADA tool for pipelines that would let someone see changes in sensor data in real time, Seward said, in order to detect locations that stopped reporting or changes in pressure. Or maybe it’s as simple as noticing someone trying to access an application via Active Directory without permission.

Seward said smart meters — and the electric grid, in general — are particularly important to monitor. In the case of smart meters, which are constantly sending usage data to power companies, employees could quickly correlate meter shutoffs with work orders on those buildings and GPS data to determine whether a company truck is at the site. At a small scale, Seward said, robbers monitoring smart grid data could identifiy houses to rob by looking for consumption footprints that suggest nobody’s home. At a large scale, they could try to power down air-traffic control towers, first-responder buildings or the utility providing water to cool rods at a nuclear power plant.

It’s a concern he shares with former CIA director James Woolsey, who discussed the vulnerability of the grid and the need for the innovative minds working on smart-grid technologies to solve it at our Structure: Data conference in March.